This documentation is for WSO2 Identity Server 5.6.0 . View documentation for the latest release.

All docs This doc

Versions Compared


  • This line was added.
  • This line was removed.
  • Formatting was changed.


  1. Sign in. Enter your username and password to log on to the Management Console
  2. Navigate to the Main menu to access the Identity menu. Click Add under Identity Providers
    For more information, see Adding and Configuring an Identity Provider.  
  3. Fill in the details in the Basic Information section. 
  4. Expand the Federated Authenticators section and then the OAuth2/OpenID Connect Configuration form. 
  5. Fill in the following fields where relevant.

    Prior to this, you need to configure an application for Identity server in the federated authorization server and get the application information such as client ID and secret. For more information, see configuring OAuth2-OpenID Connect single sign-on


    The By default, the Client Id and Client Secret are stored as plain text values by default. By default, where the Client Secret is generally stored as a random number generated using two UUIDs and HMAC-SHA1 hash function, which is known to resist the strongest attack known against HMAC.

    If you want to change the format in which the Client Secret is stored, you need to change the <TokenPersistenceProcessor> property in the <IS_HOME>/repository/conf/identity/identity.xml file, depending on how you want to store tokens. For information on possible values that you can specify as <TokenPersistenceProcessor> based on your requirement, see Supported token persistence processors.

    Once you configure a required token persistence processor, be sure to restart the server for the changes to be applied to WSO2 Identity Server.

    FieldDescriptionSample value
    Enable OAuth2/OpenIDConnectSelecting this option enables OAuth2/OpenID Connect to be used as an authenticator for users provisioned to the Identity Server.Selected
    DefaultSelecting the Default check box signifies that the OAuth2/OpenID Connect credentials are the main/default form of authentication. This removes the selection made for any other Default checkboxes for other authenticators.Selected
    Authorization Endpoint URLThis is a standard OAuth Authorization Endpoint URL of the federated IDP.https://localhost:9443/oauth2/authorize/
    Token Endpoint URLThis is a standard OAuth Token Endpoint URL of the federated IDP.https://localhost:9443/oauth2/token/
    Client IdClient ID of the application you registered in the IDP for Identity server.1421263438188909
    Client SecretClient Secret of the application you registered in the IDP for Identity server. Click the Show button to view the value you enter.12ffb4dfb2fed67a00846b42126991f8
    Callback URLThis is the URL to which the browser should be redirected after the authentication is successful. It should be the commonauth endpoint of Identity serverhttps://localhost:9443/commonauth
    OpenID Connect User ID LocationSelect whether the User ID is found in the 'sub' attribute that is sent with the OpenID Connect request or if it is found among claims.User ID found in 'sub' attribute
    Additional Query ParametersThis is necessary if you are connecting to another Identity Server or application. Sometimes extra parameters are required by this IS or application so these can be specified here.paramName1=value1